Duqu: Meet the Son of Stuxnet

It was only a matter of time. A Stuxnet malware knock off has been identified, and named Duqu or DQ for short in reference to characters found repetitively in its code. Speculations abound as to where it came from and why it exists.

Symantec was the first to raise the warning flag on the 18th after being clued in by an unnamed research lab. McAfee jumped into the fray with opposing opinions. Security threats abound nowadays and security companies dig for explanations and countermeasures.

Everyone agrees that Duqu has a different agenda than the Stuxnet worm which was developed to sabotage the operation of a nuclear facility. However, Duqu?s mission is either information gathering from the industrial control systems of manufacturing companies per Symantec, or illegitimate use of Certificate Authorities, per McAfee.

Duqu uses keystroke logging and network enumerators and may be poking around looking for design documents which could help its authors design a cyber attack. Perhaps they are hoping to create havoc similar to the centrifuge demolition in the Natanz nuclear facility in Iran. On the other hand, it may be set to steal digital certificates used by websites to identify themselves, specifically in Asia, Europe and Africa.

Semantec contends that Duqu stole a private key from one of their own customers rather than generating one for its own malevolent purpose. Semantec promptly revoked the certificate.

Semantec says what Duqu learns from the information it gathers will be used against a future target, thought to be a European-based industrial control systems manufacturer.

The original and purveyors of Duqu remain in shadow. Anonymous who conducted a cyber attack on Monsanto has been mentioned in passing. That attack was to draw attention to the genetically altered foods being forced on farmers. Anonymous? methods indicate that it might be able to get to industrial control system networks, but experts think Duqu is more sophisticated and has a much better chance, and a more evil intent. Duqu uses some of the same code as Stuxnet, therefore it is logical to assume that it grew from the same source.

Oddly, Duqu, by its own design, only runs 36 days before deleting itself off its target. This hit and run method sometimes keeps it under the radar and makes it difficult to track. It is still unknown how the virus is supposed to replicate or how it infects the system to begin with. In the days to come, more should become known.